Thanks a lot for the quick answer, it works! So the ldap filters i wrote are ok, the problem was on the users file. I have 2 more questions: 1) Now i check the group membership with a numeric constant, like Ldap-Group!=800. Say the ldap posixGroup entry is: cn=staff,dc=mydomain,dc=it cn=staff gidNumber=<gid> ... I want to pick out the gid from the group 'staff', whatever this numer is, and check this number in the users file. May I write something like gid=%{ldap:ldap://dc=mydomain,dc=it?gidNumber?sub?(&(posixGroup)(cn=staff))}, and then use this var in the test Ldap-Group!=<gid> in users file? 2) Maybe a stupid question. I found very difficult to have a clear understanding of how to configure freeradius, from the documentation that comes with the rpm/deb package and the one i found on freeradius.org. Also i look for a book, but the only one i found is 'Radius' from O'Reilly, that is old and far far far away from a 'good book'. Is there some paper, some book, some doc that explain clearly the freeradius world? From a general point of view (Radius Protocol, Difference in Authorization and Authentication section, etc..) to the details (how freeradius use the request attrs/config attrs/reply attrs, the gory details of the single module configuration switch - see my mistake with 'compare_check_items=yes' in ldap, etc.)? Thanks Pietro Alan DeKok wrote:
Pietro Accerboni wrote:
Hi, here is my problem: 0) Cisco APs - Radius - Ldap authentication via 802.1x - PEAP - MSCHAPv2 works.
That's a good start.
1) I need to link the group of the user that try to authenticate with the SSID, so i can allow only a particular group of users to use a particular SSID/VLAN.
i.e. IF the user is in SSID, AND he is NOT in a particular group, THEN reject the request.
7) I really connot figure out a correct configuration of: * ldap module in radius.conf
If PEAP works, your LDAP configuration is mostly OK.
* selection in users
See below.
* mapping of group attribute in ldap.attrmap
Don't.
(radius.conf, module ldap)
...
compare_check_items = yes (if i do not set this, all users with valid credentials can log in!)
Set this to "No". The current configuration is preventing the *proper* users from logging in:
If you see in the bottom of the log, 'rlm_ldap::ldap_groupcmp: User found in group 801' but also 'rlm_ldap: Pairs do not match. Rejecting
user'
See? Don't set it. It's not needed.
(users) DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group==800 Fall-Through = no
This says "match SSID AND ldap group" ... and do nothing else. Compare that to what you wrote in (1) above.
What you want is:
DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group!=800, Auth-Type := Reject
(all on one line). See "man users" for a description of the operators.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html